In the 2022 attacks, ransomware operators took advantage of a number of outdated vulnerabilities that allowed the attackers to become persistent and migrate laterally to complete their objectives.
A report from Ivanti released last week stated that the flaws, which are prevalent in products from Microsoft, Oracle, VMware, F5, SonicWall, and several more companies, pose a clear and present danger to organisations who haven't yet remedied them.
Old bugs are still popular
Ivanti's study is based on data analysis from teams at Securin, Cyber Security Works, and Cyware as well as from its own threat intelligence team. It provides a thorough examination of the flaws that criminals frequently used in ransomware attacks in 2022.
In attacks last year, ransomware operators used a total of 344 different vulnerabilities, up 56 from 2021, according to Ivanti's analysis. A stunning 76% of these bugs were from 2019 or before. Three remote code execution (RCE) defects from 2012 in Oracle's products, CVE-2012-1710 in Oracle Fusion middleware and CVE-2012-1723 and CVE-2012-4681 in the Java Runtime Environment, were the oldest flaws in the group.
Ivanti's chief product officer, Srinivas Mukkamala, claims that while the data indicates that ransomware operators leveraged new vulnerabilities quicker than ever last year, many still relied on older vulnerabilities that are still present on enterprise systems.
"Older flaws being exploited is a byproduct of the complexity and time-consuming nature of patches," Mukkamala stated. "This is why organisations need to take a risk-based vulnerability management approach to prioritise patches so that they can remediate vulnerabilities that pose the most risk to their organisation."
Critical flaws
Ivanti identified 57 vulnerabilities as affording threat actors the ability to complete their whole goal, making them among the vulnerabilities that pose the most risk. These flaws gave an attacker the ability to acquire initial access, maintain persistence, elevate privileges, get around security measures, access credentials, find resources they might be looking for, move laterally, gather information, and carry out the intended task.
There were 25 vulnerabilities in this category that were dated 2019 or earlier, including the three Oracle flaws from 2012. Scanners are not presently picking up exploits against three of them (CVE-2017-18362, CVE-2017-6884, and CVE-2020-36195) in products made by ConnectWise, Zyxel, and QNAP, respectively.
Inadequate input validation was the cause of the majority (11) of the vulnerabilities in the list that presented a full attack chain. Path traversal flaws, OS command injection, out-of-bounds write errors, and SQL injection were some more frequent causes of vulnerabilities.
The most common flaws are broadly prevalent
Moreover, ransomware authors have a tendency to favour defects that affect a variety of items. CVE-2018-3639, a form of speculative side-channel vulnerability that Intel disclosed in 2018, was one of the most well-known of them. According to Mukkamala, the flaw affects 345 goods from 26 vendors. Other instances include the famed Log4Shell hole, CVE-2021-4428, which at least six ransomware gangs are presently using as an attack vector. The weakness was one of many that Ivanti discovered threat actors were using as recently as December 2022. At least 176 products from 21 different manufacturers, including Oracle, Red Hat, Apache, Novell, and Amazon, contain it.
The Linux kernel vulnerability CVE-2018-5391 and the critical elevation of privilege hole in Microsoft Netlogon CVE-2020-1472 are two further flaws that ransomware developers like to exploit because of their widespread availability. The vulnerability has been utilised by at least nine ransomware gangs, including those responsible for Babuk, CryptoMix, Conti, DarkSide, and Ryuk, and it is growing in popularity with other groups as well, according to Ivanti.
A total of 118 vulnerabilities that were leveraged in ransomware attacks last year were discovered, according to the security research.
According to Mukkamala, "threat actors are particularly interested in defects that are present in most products."
The closely watched Known Exploited Vulnerabilities (KEV) database maintained by the US Cybersecurity and Infrastructure Security Agency does not contain 131 of the 344 weaknesses that ransomware attackers exploited last year. The database includes information on software weaknesses that threat actors are actively exploiting and that CISA deems to be particularly hazardous. According to CISA, federal entities must prioritise and usually respond to vulnerabilities listed in the database within two weeks.
Because many businesses use the KEV to prioritise patches, Mukkamala argues it's crucial that these aren't in the CISA KEV. This demonstrates that, although being a reliable resource, KEV does not give a comprehensive overview of all the vulnerabilities that are employed in ransomware attacks.
57 vulnerabilities that were leveraged in ransomware attacks last year by organisations including LockBit, Conti, and BlackCat have low- and medium-severity rankings in the national vulnerability database, according to Ivanti. The risk, according to the security provider, is that enterprises who utilise the score to prioritise patching may get complacent as a result.